About

Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

February 27, 2012

QR codes versus NFC: Cheaper, but worth the risk?

In recent years, we've seen discussions on the value and viability of near-field communications (NFC) apps morph from the hypothetical to some actual real-life deployments. Google has rolled out an NFC mobile wallet, and others are on their way for trial rollouts, as we discussed in last week's post. As this burgeoning industry takes shape and the costs and barriers become more apparent, some interim and quite disruptive technological alternatives are gaining attention—namely QR (short for "quick response") codes. In fact, many merchants today are touting QR codes as the near-term alternative to a more costly deployment of contact and contactless chip-based payments using NFC and EMV interoperability and security technology standards. They are touting these QR codes despite the superior security that chip technology affords. These discussions beg the question: are short-term economic gains realized from less costly QR code technology adoption at the expense of payment security?

How do QR codes work?
QR codes are a two-dimensional form of barcode whose contents can be decoded electronically at high speed. QR code use exploded in 2011, and telephonic technology has expanded to support their application for storing all kinds of data, including URLs. As a result, consumers are increasingly using QR codes to access magazines and newspapers on the Internet and to find online product reviews by scanning price tags. The camera in a smartphone captures the picture of the QR code, and then decoding software helps the phone connect to a website or a file download.

QR codes and malware
Unfortunately, there is no way to visually discern whether the data contained in the QR code will direct the user to a malicious website or application. Infected QR code problems are just beginning to emerge because most people simply don't know the best way to protect their mobile device. According to Marian Merritt, a Norton online safety advocate, "fewer than 5 percent of people have got some form of security on their mobile devices." 2011 in particular witnessed an upsurge in hackers using QR codes as a means of transmitting mobile viruses in Russia. According to a recent report by AVG Technologies, scanning a QR code and executing its hidden applications on a mobile device is akin to "running an unknown executable on your computer." Mobile-related hacking events are expected to rise in 2012 with the advent of more advanced QR code-enabled mobile applications.

Should economy trump security?
QR codes fulfill a wide range of functionalities, but should they be used for payments? Starbucks has realized considerable success with its QR code-based mobile payment app with millions of transactions since it launched one year ago, and merchants are receptive to a more affordable point-of-sale payment acceptance system generally.

The risk of fraud in micropayments and closed-loop payment systems—such as the QR code prepaid business model that Starbucks uses for a cup of coffee—may not be as significant as for larger, open-loop transactions. Ultimately, QR codes may play a viable role in some smaller, and less risky, payment applications. Payments industry participants should carefully consider the ramifications of a strategy that expands their use more generally in lieu of NFC-enabled payments.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

February 21, 2012

Security in the mobile wallet: Is it good enough yet?

For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.

But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.

Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.

A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:

"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."

It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.

Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.

Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.

Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.

Comments

Post a comment

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.